Bug 2109587

Summary: Octavia TLS tests fail when FIPS is enabled
Product: Red Hat OpenStack Reporter: Gregory Thiemonge <gthiemon>
Component: python-octavia-tests-tempestAssignee: Gregory Thiemonge <gthiemon>
Status: CLOSED ERRATA QA Contact: Bruna Bonguardo <bbonguar>
Severity: high Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: mburns, spower, tweining
Target Milestone: gaKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-octavia-tests-tempest-1.9.0-0.20220724220742.a3a95b1.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:24:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gregory Thiemonge 2022-07-21 14:34:09 UTC 
Description of problem:

When FIPS is enabled, the Octavia TLS tests fail with a "The PKCS12 bundle is unreadable" exception

2022-07-19 23:04:35,003 307618 INFO     [tempest.lib.common.rest_client] Request (TLSWithBarbicanTest:test_alpn_fallback_tls_traffic): 400 POST https://10.0.0.142:13876/v2.0/lbaas/listeners 4.394s
2022-07-19 23:04:35,004 307618 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"listener": {"protocol": "TERMINATED_HTTPS", "protocol_port": "443", "loadbalancer_id": "27b2c96f-e454-44ef-8d88-39bfed884246", "name": "tempest-lb_member_listener1-tls-alpn-1345456376", "default_pool_id": "e4a4af46-8b21-4130-9d00-cff6e0925e34", "default_tls_container_ref": "https://10.0.0.142:13311/v1/secrets/a3cb9bbf-47a3-4fdd-9d00-9b6df7a26624", "alpn_protocols": ["http/1.0", "http/1.1"]}}
    Response - Headers: {'date': 'Tue, 19 Jul 2022 23:04:30 GMT', 'server': 'Apache', 'content-length': '250', 'x-openstack-request-id': 'req-3280923b-c93d-4aec-bcd8-2d575e572c63', 'content-type': 'application/json', 'connection': 'close', 'status': '400', 'content-location': 'https://10.0.0.142:13876/v2.0/lbaas/listeners'}
        Body: b'{"faultcode": "Client", "faultstring": "The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [(\'digital envelope routines\', \'\', \'unsupported\')]", "debuginfo": null}'
}}}

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/tests/barbican_scenario/v2/test_tls_barbican.py", line 1113, in test_alpn_fallback_tls_traffic
    self._test_alpn_tls_traffic(s_protos, c_protos, expected)
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/tests/barbican_scenario/v2/test_tls_barbican.py", line 1152, in _test_alpn_tls_traffic
    listener = self.mem_listener_client.create_listener(**listener_kwargs)
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/common/decorators.py", line 42, in wrapper
    return f(*func_args, **func_kwargs)
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/services/load_balancer/v2/listener_client.py", line 127, in create_listener
    return self._create_object(**kwargs)
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/services/load_balancer/v2/base_client.py", line 101, in _create_object
    response, body = self.post(request_uri, jsonutils.dumps(obj_dict))
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 299, in post
    return self.request('POST', url, extra_headers, headers, body, chunked)
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 720, in request
    self._error_checker(resp, resp_body)
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 831, in _error_checker
    raise exceptions.BadRequest(resp_body, resp=resp)
tempest.lib.exceptions.BadRequest: Bad request
Details: {'faultcode': 'Client', 'faultstring': "The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('digital envelope routines', '', 'unsupported')]", 'debuginfo': None}


Version-Release number of selected component (if applicable):
17.0

How reproducible:
100%

Steps to Reproduce:
1. deploy OSP17 with FIPS
2. run the TLS tests from octavia-tempest-plugin (TLSWithBarbicanTest)
3.
Comment 11 errata-xmlrpc 2022-09-21 12:24:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543